In GitHub's Fedora-based CI containers the directory /nix may already exist
(e.g. from the base image or a previous build layer) and is often owned by
root:root. In this situation the Nix single-user installer aborts with:
"directory /nix exists, but is not writable by you"
This caused the container build to fail during `init-nix.sh`, leaving no
working `nix` binary on PATH. As a result, the runtime wrapper
(pkmgr-wrapper.sh) reported:
"[pkgmgr-wrapper] ERROR: 'nix' binary not found on PATH."
Local runs did not show the issue because a previous installation had already
created /nix with correct ownership.
This commit makes container-mode Nix initialization fully idempotent:
• If /nix does not exist → create it with owner nix:nixbld (existing logic).
• If /nix exists but has wrong owner/group → forcibly chown -R nix:nixbld.
• A warning is emitted if /nix remains non-writable after correction.
This guarantees that the Nix installer always has writable access to /nix
and prevents the installer from aborting in CI. As a result, `pkgmgr --help`
works again inside Fedora CI containers.
https://chatgpt.com/share/69384149-9dc8-800f-8148-55817ece8e21
Changes included:
• GitHub Actions workflow: rename job from 'test-unit' to 'test-container' to match intent.
• RPM packaging: replace %{_libdir}/package-manager with a fixed /usr/lib/package-manager
to avoid lib/lib64 divergence on CentOS and ensure pkgmgr + Nix flake resolution works
consistently across distros.
• Docker entrypoint: add automatic CA-bundle detection and set NIX_SSL_CERT_FILE to fix
TLS issues on CentOS ('unable to get local issuer certificate') when Nix fetches flake
inputs.
These updates stabilize container-based tests and unify the runtime environment
for Fedora, CentOS, and other distributions.
Reference:
ChatGPT conversation: https://chatgpt.com/share/6937aa72-d33c-800f-a63f-c353e92de6b3
- Add .dockerignore rules to prevent Arch package artifacts from entering the build context
- Rework Dockerfile to remove stale package artifacts before makepkg and use a dev entry script
- Introduce docker-entry-dev.sh to always rebuild pkgmgr from the mounted /src tree
- Update Makefile 'test' target to rebuild pkgmgr inside the container before running tests
- Fix predictable makepkg failures caused by residual *.pkg.tar.* files
Conversation reference: https://chatgpt.com/share/6935e6e8-f3fc-800f-a4e9-7537114f13d1
References:
- Current ChatGPT conversation: https://chatgpt.com/share/6935d6d7-0ae4-800f-988a-44a50c17ba48
- Extended discussion: https://chatgpt.com/share/6935d734-fd84-800f-9755-290902b8cee8
Summary:
This commit performs a major cleanup and modernization of the installation pipeline:
1. Introduced a new capability-detection subsystem:
- Capabilities (python-runtime, make-install, nix-flake) are detected per installer/layer.
- Installers run only when they add new capabilities.
- Prevents duplicated work such as Python installers running when Nix already provides the runtime.
2. Removed deprecated pkgmgr.yml manifest installer:
- Dependency resolution is now delegated entirely to real package managers (Nix, pip, make, distro build tools).
- Simplifies layering and avoids unnecessary recursion.
3. Reworked OS-specific installers:
- Arch PKGBUILD now uses 'makepkg --syncdeps --cleanbuild --install --noconfirm'.
- Debian installer now builds proper .deb packages via dpkg-buildpackage + installs them.
- RPM installer now builds packages using rpmbuild and installs them via rpm.
4. Switched from remote GitHub flakes to local-flake execution:
- Wrapper now executes: nix run /usr/lib/package-manager#pkgmgr
- Avoids lock-file write attempts and improves reliability in CI.
5. Added bash -i based integration test:
- Correctly sources ~/.bashrc and evaluates alias + venv activation.
- ‘pkgmgr --help’ is now printed for debugging without failing tests.
6. Updated unit tests across all installers:
- Removed references to manifest installer.
- Adjusted expectations for new behaviors (makepkg, dpkg-buildpackage, rpmbuild).
- Added capability subsystem tests.
7. Improved flake.nix packaging logic:
- The entire project source tree is copied into the runtime closure.
- pkgmgr wrapper now executes runpy inside the packaged directory.
Together, these changes create a predictable, layered, capability-driven installer pipeline with consistent behavior across Arch, Debian, RPM, Nix, and Python layers.
